Meet the PCI DSS
requirements

The solution based on 3 products creates an access management system to the customers' data of financial institutions and companies

SCHEDULE DEMO
prew-product

Task

In April 2016, the new PCI DSS 3.2 version was adopted. Some of the changes introduced in this version become effective on the February 1st, 2018. These are changes in employee authentication upon access to bank information systems. In particular, starting from February 1st, 2018, multi-factor authentication becomes mandatory for a number of access scenarios.

The PCI DSS defines the following factors or methods of user authentication:

  • Something that you know;
  • Something that you have;
  • Something that you possess.

Here are some examples of the mentioned factors, that are the most frequently used in practice of multi-factor authentication.

Something that you know

  • USB key or smart card PIN code. PIN is stored in device memory only and is used to access the protected data area of a smart card or USB key to perform various cryptographic operations, including the authentication ones.
  • Answer to security question. As a rule, this method is used as redundant for access recovery. For security reasons, it is recommended to require correct answers for several questions.
  • Classic conventionally constant password.

Something that you have

  • USB key or smart card. Such devices have private key stored on them to perform asymmetric cryptography operations, and also other key data
  • OTP-key — one-time password (OTP) generator. OTP hardware generation device. The most commonly used standard of one-time password generation are OATH TOTP and HOTP algorithms. There also are proprietary OTP generation algorithms (RSA, for example)
  • User smartphone. A user smartphone can be used as: (a) mobile application for OTP generation; (b) device to receive OTP via SMS; © mobile application for out of band authentication using push notifications
  • Proximity card (RFID). Such cards can be used both for logical access to information systems and for physical access to company premises

Something that you possess (something that you are)

This category holds all the technologies based on the biometric data.

  • Currently, the most widely spread biometric authentication method is fingerprint verification. Today, this technology has one of the best quality-price balances among the biometric technologies.
  • Vein pattern This technology uses hand or finger vein pattern to create a biometric template. The advantages of the technology are high recognition accuracy and hygienic cleanness, as vein pattern recognition is performed at distance, with no direct contact between palm or finger and scanner.
  • Photo (2D face image). This technology is one of the cheapest biometric authentication methods, as it does not require usage of special devices. A disadvantage of the technology is that recognition accuracy is dependent on the room illumination.
  • 2D and 3D face image. For authentication with 2D and 3D face image, Intel RealSense™ technology is used. This allows for obtaining of highly accurate face image (in IR band as well) and thus for higher authentication accuracy.
  • Voice biometrics. As is the case with face photo image, voice biometrics is also one of the cheapest authentication methods. The technology advantage is the opportunity to use phone calls for authentication. The drawbacks are relatively low recognition accuracy and limited number of usage scenarios.

It should be noted that the standard requires combined use of at least two different authentication factors. In other words, use of two passwords or two fingerprints is not multi-factor authentication. The most frequent practical combinations of various authentication factors are listed below:

  • Smart card (with private key and certificate) + PIN code
  • Constant password + one-time password
  • Proximity card + constant password
  • Proximity card + fingerprint verification
  • Fingerprint verification + constant password
  • Smartphone application (push notification) + constant password
  • Smartphone application (push notification) + fingerprint verification

Solution

The Axidian products allow for implementation of all the mentioned authentication factor combinations and also support the opportunity of authentication scenario list expansion upon request. The following products are used to build the multi-factor authentication system:

Axidian CertiFlow

Centralized lifecycle management system of smart cards, USB tokens and digital certificates. Axidian CertiFlow makes it possible to reduce the PKI infrastructure usage expenses and increase its efficiency by applying a centralized smart card and certificate usage policy, routine automation and user self-service.

Axidian Access

Axidian Access (Axidian Access) is the universal authentication system, designed to implement the strong and/or multi-factor authentication in any enterprise systems: OS, web- and mobile applications, VPN, VDI, SAML-compatible applications etc. Enterprise Single Sign-On technology is also supported.

The following are comments on implementation of certain requirements of PCI DSS 3.2 to authentication using the Axidian software.

PCI DSS 3.2 requirement Comments

8.1.3 Immediately revoke access for any terminated users.

8.1.3.b Verify all physical authentication methods—such as, smart cards, tokens, etc.—have been returned or deactivated.

The Axidian CertiFlow contains the service for monitoring of account statuses of smart card and certificate users. When an account is deactivated, the service automatically revokes the user’s digital certificates. This allows for timely prevention of dismissed employee’s card and certificate usage. The Axidian CertiFlow also stores the information about the cards and USB tokens assigned to the user to control the devices’ application.

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.

The Axidian CertiFlow uses centralized management of PIN code policies. This allows for unified settings to be applied for all smart cards, including the number of logon attempts until smart card is locked.

The Axidian Access also allows for centralized definition of authentication method locking upon exceeding the defined number of logon attempts.

8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device or smart card
  • Something you are, such as a biometric.

Axidian CertiFlow and Axidian Access allow to use all the mentioned authentication methods. At that, depending on the environment, different authentication variants may be available to employee (for example, smart card + PIN code for OS logon and password + OTP for VPN access).

8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.

The Axidian CertiFlow supports the redundant authentication technology that uses security questions to perform smart card unlocking operations. This allows to meet the requirement when performing operations with smart card PIN code.

8.2.3 Passwords/passphrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.

Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.

The Axidian CertiFlow utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code complexity.

8.2.4 Change user passwords/passphrases at least once every 90 days.

The Axidian CertiFlow utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code validity terms.

8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used

The Axidian CertiFlow utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code history.

8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use

The Axidian CertiFlow utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to generation of random PIN codes and mandatory change of PIN code upon the first logon.

8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication

The requirement can be met either using PKI (public key infrastructure) or without it. Combination of technologies is also possible. For example, like this:
— Smart cards and digital certificates are used for authentication in local operation mode (OS and applications);
— One-time passwords are used for remote access (e.g., for VPN authentication).
The choice of technologies is conditioned by the hardware and software used. Besides, the choice of technology can be dependent of the user role and privileges (e.g., employees can use certificates, and third parties — SMS only). The Axidian CertiFlow and Axidian Access software allow for implementation of any authentication scenario, not dependent on certain technologies.

Get the budget estimation of your project

GET QUESTIONNAIRE
prew-product-work

Industries

Learn how multiple industries enjoy benefits from implementing our products

Prev
Next

industry about us

quot-mark
avt-1
Andy Woo
Regional Director of Pacific Tech

At Pacific Tech, we are continuously evolving and bringing new solutions to our partners and customers in the region. We are delighted to be partnering with Axidian. With Axidian, we found a comprehensive access management solution which perfectly complements the growing population of Singapore work-from-home workers. As a leading cyber security solution provider, this strategic partnership is perfect for our two companies.

read more
quot-mark
avt-2
KC KuppingerCole Report
Executive view

Axidian’s innovative approach towards designing its whole product portfolio as a highly modular open application platform allows the customers to pick and choose the modules as needed and grow in the future as their business needs expand. Even out of the box, Axidian CertiFlow provides comprehensive yet convenient management capabilities for both administrators and end users.

read more
quot-mark
avt-3
Michael Bürger
Founder & Sales Partner at EU-HUB Network

Since approximately 5 years now I’m working with Axidian quite successfully. First as my vendor client and next as a trusted innovative software partner. Now we are re-selling Axidian software as a Distributor for the EU and beyond. Often I met Axidian CEOs, CTO, Product Management, Partner Managers and System Engineers, on the the phone and even in person in London and Munich and always my feeling was that this is are smart people, an excellent organized company, straight forward thinking and | don’t have any doubt that together we will be very successful this decade in the 2020s on everything we target.

quot-mark
avt-4
Leo Querubin
Executive Director for Business Development of Pointwest Technologies Corporation

The products of Axidian, like Axidian Access, a software for strong and multi-factor authentication (MFA), can provide the structural changes that force everyone to follow necessary cybersecurity procedures. Customers get the best of both worlds — the world-class cybersecurity products of Axidian and the experience and expertise of the local cybersecurity landscape of Pointwest.

read more
quot-mark
avt-4
Volkan Duman
Information Technologies General Manager at vMind

As a result of the long-term laboratory tests and studies that we conducted, we believe that Axidian products should certainly be on the Turkish market. Thanks to our partnership with Axidian, we sought to expand the access control and certificate management market, which is located in a narrow profile in the country, as well as add value by transferring technology to our country. When we compare Axidian products with similar products, we can safely say that they contain much more different features and are more inclusive.

read more
quot-mark
avt-4
Marko Pust
Director of OSI.SI

We have a long partnership with Axidian for more than 2 years already. I can confidently say that Axidian CertiFlow is one of the best and technologically enhanced products for managing digital certificates and smart cards on the EU market. This product has a number of unique features such as Client Agent and Axidian AirCard Enterprise network-attached smart card that are highly valued by our customers. One of the customers said that Axidian CertiFlow brought automation and visibility to their PKI life.

quot-mark
avt-4
Heng Lie
Director of Synnex Metrodata Indonesia

I believe that Axidian Access is an excellent solution for many of our clients. It manages access to all information systems of the enterprise and protects companies from internal and external cyber threats. It is a flexible platform combining different authentication scenarios and methods.

quot-mark
avt-4
Sergey Yeliseyev
X–Infotech Owner, Business Development Director, Government eID solutions

Axidian is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner.